Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can't authenticate via System Preferences after successfully setting up PAM challenge-response #125

Open
aymswick opened this issue May 30, 2017 · 5 comments

Comments

@aymswick
Copy link

aymswick commented May 30, 2017

I'm using a YubiKey Neo with MacOS Sierra (10.12.5) and after multiple configuration issues and pouring through the docs, I've successfully set up the challenge-response authentication to login with my YubiKey. My admin password for my mac user account works fine in terminal for sudo purposes, but will not work when System Preferences prompts for authentication.

For example, when trying to click the Lock symbol within the User & Groups pane in System Preferences, this dialog appears:
screen shot 2017-05-29 at 9 08 26 pm

But neither my admin password nor my YubiKey PIN is accepted. I appreciate any help you can offer!

@klali
Copy link
Member

klali commented May 31, 2017

The pam configuration on a mac is tricky. I'm assuming you've added pam_yubico.so to the /etc/pam.d/login file, anything else?

You're mentioning a pin, for challenge response with a yubikey you shouldn't need a pin at all.

To see if the pam module is called at all you can add two statements to the pam line for it:
debug debug_file=/tmp/pam_yubico
You need to make sure you're running version 2.24 of the module and that the file you point it to exists for the debug_file statement to have any effect. When this is enabled the module should write out what happens to that file and you should be able to see if it loads and fails or if something else goes wrong.

@eici
Copy link

eici commented Jul 11, 2017

I got the exact same Problem after following this Guide:
https://www.yubico.com/wp-content/uploads/2016/02/Yubico_YubiKeyMacOSXLogin_en.pdf
@klali: In this guide there is no reference of a /etc/pam.d/login file.
@aymswick: did you resolve your problem? How?

@ghost
Copy link

ghost commented Aug 29, 2017

I was also struggling with it following the document mentioned by @eici.
Eventually I did everything the guide says, then enabled support for keychain (by pressing "Set up on macOS"). The tricky part is that after you've entered the PIN and the prompt is grayed out, Yubi starts blinking, which means it wants you to touch it. It is not clearly mentioned in the document(s), but there's that - it waits around 2 seconds, blinking, and silently fails if it didn't receive anything. So, make sure you touch the key when it blinks, because macOS won't inform you unless you use command-line interface.

@philsalesses
Copy link

@light2yellow Posted the correct answer

@a-ml
Copy link

a-ml commented Aug 24, 2018

Hello @aymswick did you solved your issue... I've doing everything a nothing seems to work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Development

No branches or pull requests

5 participants